SlideShare a Scribd company logo

Final domain control policy

•
•
B
BhagyashriJadhav16

Domain control policy

Engineering
1 of 44
Download to read offline
Domain Control Policy By Bhagyashri Jadhav
Domain controller  It is a server on a network that is responsible for allowing host access to domain resources.  It authenticates users, stores user account information and enforces security policy for a domain.  It is most commonly implemented in Microsoft Windows environments (see Domain controller (Windows)), where it is the center piece of the Windows Active Directory service.  However, non-Windows domain controllers can be established via identity management software such as Samba and Red Hat FreeIPA.
Domain controllers are typically deployed as a cluster to ensure high-availability and maximize reliability. In a Windows environment, one domain controller services as the Primary Domain Controller (PDC) and all other servers promoted to domain controller status in the domain server as a Backup Domain Controller (BDC)
 A domain controller is a server that responds to authentication requests and verifies users on computer networks.  Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured.  The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD).  While attackers have all sorts of tricks to gain elevated access on networks, including attacking the DC itself, you can not only protect your DCs from attackers but actually use DCs to detect cyber attacks in progress.
The Main Function of a Domain Controller? The primary responsibility of the DC is to authenticate and validate user access on the network. When users log into their domain, the DC checks their username, password, and other credentials to either allow or deny access for that user.
What is Authentication? Authentication includes two components: Authentication is the process of verifying a user’s identity on a network • Network authentication: grants access to network resources• Interactive logon: grants access to the local computer
What is Authorization? Security principals are issued security identifiers (SIDs) when the account is created User accounts are issued security tokens during authentication that include the user’s SID and all related group SIDs Shared resources on a network include access control lists (ACL) that define who can access the resource Authorization is a process of verifying that an authenticated user has permission to perform an action The security token is compared against the Discretionary Access Control List (DACL) on the resource and access is granted or denied
Why Deploy AD DS? AD DS features include: • Centralized directory • Single sign-on access • Integrated security • Scalability AD DS provides a centralized system for managing users, computers, and other resources on a network • Common management interface
Centralized Network Management AD DS centralizes network management by providing: • Single location and set of tools for managing user and group accounts • Single location for assigning access to shared network resources • Directory service for AD DS enabled applications • Options for configuring security policies that apply to all users and computers • Group policies to manage user desktops and security settings
Object Description TCP/IP • Configure appropriate TCP/IP and DNS server addresses. Credentials • To install a new AD DS forest, you need to be local Administrator on the server. To install an additional domain controller in an existing domain, you need to be a member of the Domain Admins group. Domain Name System )DNS) Infrastructure • Verify that a DNS infrastructure is in place. When you install AD DS, you can include DNS server installation, if it is needed. • When you create a new domain, a DNS delegation is created automatically during the installation process. Creating a DNS delegation requires credentials that have permissions to update the parent DNS zones. Requirements for Installing AD DS
Overview of AD DS and DNS AD DS domain controller records must be registered in DNS to enable other domain controllers and client computers to locate the domain controllers AD DS domain names must be DNS domain names DNS Domain Name AD DS requires a DNS infrastructure DN S DNS zones can be stored in AD DS as Active Directory integrated zones DNS Zon e
Physical Components Logical Components • Data store • Domain controllers • Global catalog server • Read-Only Domain Controller (RODC) • Partitions • Schema • Domains • Domain trees • Forests • Sites • Organizational units (OUs) AD DS is composed of both physical and logical components Component Overview
Overview of AD DS Physical Components •Domain Controllers •Global Catalog Servers •Data Store •Replication •Sites
Domain Controllers Domain controllers: • Host a copy of the AD DS directory store • Provide authentication and authorization services • Replicate updates to other domain controllers in the domain and forest A domain controller is a server with the AD DS server role installed that has specifically been promoted to a domain controller • Allow administrative access to manage user accounts and network resources Windows Server 2008 and later supports RODCs
Global Catalog Servers The global catalog: • Contains a copy of all AD DS objects in a forest that includes only some of the attributes for each object in the forest • Improves efficiency of object searches by avoiding unnecessary referrals to domain controllers • Required for users to log on to a domain Global catalog servers are domain controllers that also store a copy of the global catalog
What is the AD DS Data Store? The AD DS data store: • Consists of the Ntds.dit file • Is stored by default in the %SystemRoot%NTDS folder on all domain controllers • Is accessible only through the domain controller processes and protocols The AD DS data store contains the database files and processes that store and manage directory information for users, services, and applications
What is AD DS Replication? AD DS replication: • Ensures that all domain controllers have the same information • Uses a multimaster replication model • Can be managed by creating AD DS sites AD DS replication copies all updates of the AD DS database to all other domain controllers in a domain or forest The AD DS replication topology is created automatically as new domain controllers are added to the domain
What are Sites? Sites are: • Associated with IP subnets • Used to manage replication traffic • Used to manage client logon traffic An AD DS site is used to represent a network segment where all domain controllers are connected by a fast and reliable network connection • Used by site aware applications such as Distributed File Systems (DFS) or Exchange Server • Used to assign group policy objects to all users and computers in a company location
Object Types Function Examples Class Object What objects can be created in the directory • User • Computer Attribute Object Information that can be attached to an object • Display name The AD DS Schema:  Defines every type of object that can be stored in the directory  Enforces rules regarding object creation and configuration What is the AD DS Schema?
The Basics: Domains Domains: • An administrative boundary for applying policies to groups of objects • A replication boundary for replicating data between domain controllers • An authentication and authorization boundary that provides a way to limit the scope of access to resources Contoso. com Domains are used to group and manage objects in an organization
The Basics: Trees All domains in the tree: • Share a contiguous namespace with the parent domain • Can have additional child domains • By default create a two-way transitive trust with other domains A domain tree is a hierarchy of domains in AD DS contoso.com na.contoso.comemea.contoso.com
Introduction to Multitenancy Using Domains  The Firepower System allows you to implement multitenancy using domains.  Domains segment user access to managed devices, configurations, and events.  You can create up to 50 subdomains under a top-level Global domain, in two or three levels.  When you log into the Firepower Management Center, you log into a single domain, called the current domain. Depending on your user account, you may be able to switch to other domains.  In addition to any restrictions imposed by your user role, your current domain level can also limit your ability to modify various Firepower System configurations. The system limits most management tasks, like system software updates, to the Global domain.
 The system limits other tasks to leaf domains, which are domains with no subdomains. For example, you must associate each managed device with a leaf domain, and perform device management tasks from the context of that leaf domain.  Each leaf domain builds its own network map, based on the discovery data collected by that leaf domain’s devices. Events reported by a managed device (connection, intrusion, malware, and so on) are also associated with the device's leaf domain.
One Domain Level: Global  If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain, which in this scenario is also a leaf domain. Except for domain management, the system hides domain-specific configurations and analysis options until you add subdomains.
Two Domain Levels: Global and Second- Level  In a two-level multidomain deployment, the Global domain has direct descendant domains only. For example, a managed security service provider (MSSP) can use a single Firepower Management Center to manage network security for multiple customers:  Administrators at the MSSP logging into the Global domain, cannot view or edit customers’ deployments. They must log into respective second-level named subdomains to manage the customers' deployment.  Administrators for each customer can log into second- level named subdomains to manage only the devices, configurations, and events applicable to their organizations. These local administrators cannot view or affect the deployments of other customers of the MSSP.
Three Domain Levels: Global, Second- Level, and Third-Level  In a three-level multidomain deployment, the Global domain has subdomains, at least one of which has its own subdomain.  To extend the previous example, consider a scenario where an MSSP customer—already restricted to a subdomain—wants to further segment its deployment.  This customer wants to separately manage two classes of device: devices placed on network edges and devices placed internally:  Administrators for the customer logging into the second-level subdomain cannot view or edit the customer's edge network deployments.
 They must log into the respective leaf domain to manage the devices deployed on the network edge.  Administrators for the customer’s edge network can log into a third-level (leaf) domain to manage only the devices, configurations, and events applicable to devices deployed on the network edge. Similarly, administrators for the customer’s internal network can log into a different third- level domain to manage internal devices, configurations, and events. Edge and internal administrators cannot view each other's deployment.
Domain Properties To modify a domain's properties, you must have Administrator access in that domain's parent domain.  Name and Description Each domain must have a unique name within its hierarchy. A description is optional.  Parent Domain Second- and third-level domains have a parent domain. You cannot change a domain's parent after you create the domain.
 Devices Only leaf domains may contain devices. In other words, a domain may contain subdomains or devices, but not both. You cannot save a deployment where a non-leaf domain directly controls a device.  In the domain editor, the web interface displays available and selected devices according to their current place in your domain hierarchy.
 Host LimitThe number of hosts a Firepower Management Center can monitor, and therefore store in network maps, depends on its model. In a multidomain deployment, leaf domains share the available pool of monitored hosts, but have separate network maps.  To ensure that each leaf domain can populate its network map, you can set host limits at each subdomain level. If you set a domain's host limit to 0, the domain shares in the general pool.
 Setting the host limit has a different effect at each domain level:  Leaf — For a leaf domain, a host limit is a simple limit on the number of hosts the leaf domain can monitor.  Second Level — For a second-level domain that manages third-level leaf domains, a host limit represents the total number of hosts that the leaf domains can monitor. The leaf domains share the pool of available hosts.
 Global — For the Global domain, the host limit is equal to the total number of hosts a Firepower Management Center can monitor.  You cannot change it the sum of subdomains' host limits can add up to more than their parent domain's host limit.  For example, if the Global domain host limit is 150,000, you can configure multiple subdomains each with a host limit of 100,000. Any of those domains, but not all, can monitor 100,000 hosts.  The network discovery policy controls what happens when you detect a new host after you reach the host limit; you can drop the new host, or replace the host that has been inactive for the longest time.  Because each leaf domain has its own network discovery policy, each leaf domain governs its own behaviour when the system discovers a new host.  If you reduce the host limit for a domain and its network map contains more hosts than the new limit, the system deletes the hosts that have been inactive the longest. 
The Basics: Forests Forests: • Share a common schema • Share a common configuration partition • Share a common global catalog to enable searching A forest is a collection of one or more domain trees • Enable trusts between all domains in the forest • Share the Enterprise Admins and Schema Admins groups
The Basics: Organizational Units (OUs) OUs are used to: • Represent your organization hierarchically and logically • Manage a collection of objects in a consistent way • Delegate permissions to administer groups of objects OUs are Active Directory containers that can contain users, groups, computers, and other OUs • Apply policies
Trusts provide a mechanism for users to gain access to resources in another domain Types of Trusts Description Diagram Directional The trust direction flows from trusting domain to the trusted domain Transitive The trust relationship is extended beyond a two- domain trust to include other trusted domains • All domains in a forest trust all other domains in the forest • Trusts can extend outside the forest Access TRUST Trust & Access Trusts
Object Description User • Enables network resource access for a user InetOrgPerson • Similar to a user account • Used for compatibility with other directory services Contacts • Used primarily to assign e-mail addresses to external users • Does not enable network access Groups • Used to simplify the administration of access control Computers • Enables authentication and auditing of computer access to resources Printers • Used to simplify the process of locating and connecting to printers Shared folders • Enables users to search for shared folders based on properties AD DS Objects
Why is a Domain Controller Important?  Domain controllers contain the data that determines and validates access to your network, including any group policies and all computer names. Everything an attacker could possibly need to cause massive damage to your data and network is on the DC, which makes a DC a primary target during a cyberattack.
Domain Controller vs. Active Directory ACTIVE DIRECTORY : DOMAIN CONTROLLER :: car : engine Active Directory is a type of domain, and a domain controller is an important server on that domain. Kind of like how there are many types of cars, and every car needs an engine to operate. Every domain has a domain controller, but not every domain is Active Directory.
Domain control Policy  A domain security policy is a security policy that is specifically applied to a given domain or set of computers or drives in a given system. System administrators use a domain security policy to set security protocols for part of a network, including password protocols, access levels and much more.  Some technology users confuse domain security policy and domain controller security policy. Experts describe the difference this way: While a domain controller security policy only applies to the specific hardware designated as the domain controller, the domain security policy governs the entire domain. An administrator can, for example, control the required password strength within the domain, change encryption or alter other aspects of domain security by using the domain security policy settings.  Those using Microsoft operating systems (OS) and other OS types can often change domain security policy settings through provided controls. Users can change items like password policy, account lockout policy and other aspects of domain security. In other cases, users may have to use more advanced controls to customize a domain security policy.
 How to create domain  https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuratio n/guide/fpmc-config-guide-v623/domain_management.html
Domain control Policy  Domain controllers pull some security settings only from group policy objects linked to the root of the domain. Because domain controllers share the same account database for the domain, certain security settings must be set uniformly on all domain controllers. This ensures that the members of the domain have a consistent experience regardless of which domain controller they use to log on. Windows 2000 accomplishes this task by allowing only certain setting in the group policy to be applied to domain controllers at the domain level. This group policy behavior is different for member server and workstations. The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container: All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.)  The following three settings in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options:  Automatically log off users when logon time expires  Rename administrator account  Rename guest account
Domain control Policy  The following settings are applied to Windows Server 2003-based domain controllers only when the group policy is linked to the domain container. (The settings are located in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options.) Accounts: Administrator account status  Accounts: Guest account status  Accounts: Rename administrator account  Accounts: Rename guest account  Network security: Force logoff when logon hours expire
Benefits of Domain Controller  Centralized user management  Enables resource sharing for files and printers  Federated configuration for redundancy (FSMO)  Can be distributed and replicated across large networks  Encryption of user data  Can be hardened and locked-down for improved security
Limitations of Domain Controller  Target for cyberattack  Potential to be hacked  Users and OS must be maintained to be stable, secure and up-to-date  Network is dependent on DC uptime  Hardware/software requirements

Recommended

active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
202066
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
Activedirecotryfundamentals
Shekhar Singh
 
Active directory ds ws2008 r2
Active directory ds ws2008 r2Active directory ds ws2008 r2
Active directory ds ws2008 r2MICTT Palma
 
Active directoryfinal
Active directoryfinalActive directoryfinal
Active directoryfinalRafał Kucharski
 
Chapter02 Managing Hardware Devices
Chapter02 Managing Hardware DevicesChapter02 Managing Hardware Devices
Chapter02 Managing Hardware DevicesRaja Waseem Akhtar
 
Designing the active directory logical structure
Designing the active directory logical structureDesigning the active directory logical structure
Designing the active directory logical structure
John Carlo Catacutan
 
Windows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory GuideWindows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory Guidewebhostingguy
 
70 640 Lesson01 Ppt 041009
70 640 Lesson01 Ppt 04100970 640 Lesson01 Ppt 041009
70 640 Lesson01 Ppt 041009Coffeyville Community College
 

Recommended

active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
202066
 
Activedirecotryfundamentals
ActivedirecotryfundamentalsActivedirecotryfundamentals
Activedirecotryfundamentals
Shekhar Singh
 
Active directory ds ws2008 r2
Active directory ds ws2008 r2Active directory ds ws2008 r2
Active directory ds ws2008 r2MICTT Palma
 
Active directoryfinal
Active directoryfinalActive directoryfinal
Active directoryfinalRafał Kucharski
 
Chapter02 Managing Hardware Devices
Chapter02 Managing Hardware DevicesChapter02 Managing Hardware Devices
Chapter02 Managing Hardware DevicesRaja Waseem Akhtar
 
Designing the active directory logical structure
Designing the active directory logical structureDesigning the active directory logical structure
Designing the active directory logical structure
John Carlo Catacutan
 
Windows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory GuideWindows Server 2008 Active Directory Guide
Windows Server 2008 Active Directory Guidewebhostingguy
 
70 640 Lesson01 Ppt 041009
70 640 Lesson01 Ppt 04100970 640 Lesson01 Ppt 041009
70 640 Lesson01 Ppt 041009Coffeyville Community College
 
200308 Active Directory Security
200308 Active Directory Security200308 Active Directory Security
200308 Active Directory Security
Armando Leon
 
Chapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security FeaturesChapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security FeaturesRaja Waseem Akhtar
 
Chapter01 Introduction To Windows Server 2003
Chapter01 Introduction To Windows Server 2003Chapter01 Introduction To Windows Server 2003
Chapter01 Introduction To Windows Server 2003Raja Waseem Akhtar
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory ServicesVarun Arora
 
Mcts chapter 4
Mcts chapter 4Mcts chapter 4
Mcts chapter 4Sadegh Nakhjavani
 
Chapter10 Server Administration
Chapter10 Server AdministrationChapter10 Server Administration
Chapter10 Server AdministrationRaja Waseem Akhtar
 
Active directory ii
Active directory iiActive directory ii
Active directory iideshvikas
 
Active Directory
Active Directory Active Directory
Active Directory
Sandeep Kapadane
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
Napoleon NV
 
Mcts chapter 6
Mcts chapter 6Mcts chapter 6
Mcts chapter 6Sadegh Nakhjavani
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
thoms1i
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical ServicesJani Sabtriady
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 Administration
LearnItFirst.com
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDSHarsh Sethi
 
Mcts chapter 1
Mcts chapter 1Mcts chapter 1
Mcts chapter 1Sadegh Nakhjavani
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2MICTT Palma
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
Nishad Sukumaran
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directorythebigredhemi
 
What is active directory
What is active directoryWhat is active directory
What is active directory
Adeel Khurram
 
Mcts chapter 3
Mcts chapter 3Mcts chapter 3
Mcts chapter 3Sadegh Nakhjavani
 
Introduction to System and network administrations
Introduction to System and network administrationsIntroduction to System and network administrations
Introduction to System and network administrations
girmayou1
 
ADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side serverADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side server
BilalMehmood44
 

More Related Content

What's hot

200308 Active Directory Security
200308 Active Directory Security200308 Active Directory Security
200308 Active Directory Security
Armando Leon
 
Chapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security FeaturesChapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security FeaturesRaja Waseem Akhtar
 
Chapter01 Introduction To Windows Server 2003
Chapter01 Introduction To Windows Server 2003Chapter01 Introduction To Windows Server 2003
Chapter01 Introduction To Windows Server 2003Raja Waseem Akhtar
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory ServicesVarun Arora
 
Chapter10 Server Administration
Chapter10 Server AdministrationChapter10 Server Administration
Chapter10 Server AdministrationRaja Waseem Akhtar
 
Active directory ii
Active directory iiActive directory ii
Active directory iideshvikas
 
Active Directory
Active Directory Active Directory
Active Directory
Sandeep Kapadane
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
Napoleon NV
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
thoms1i
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical ServicesJani Sabtriady
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 Administration
LearnItFirst.com
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDSHarsh Sethi
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2MICTT Palma
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
Nishad Sukumaran
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directorythebigredhemi
 
What is active directory
What is active directoryWhat is active directory
What is active directory
Adeel Khurram
 

What's hot (20)

200308 Active Directory Security
200308 Active Directory Security200308 Active Directory Security
200308 Active Directory Security
 
Chapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security FeaturesChapter14 Windows Server 2003 Security Features
Chapter14 Windows Server 2003 Security Features
 
Chapter01 Introduction To Windows Server 2003
Chapter01 Introduction To Windows Server 2003Chapter01 Introduction To Windows Server 2003
Chapter01 Introduction To Windows Server 2003
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory Services
 
Mcts chapter 4
Mcts chapter 4Mcts chapter 4
Mcts chapter 4
 
Chapter10 Server Administration
Chapter10 Server AdministrationChapter10 Server Administration
Chapter10 Server Administration
 
Active directory ii
Active directory iiActive directory ii
Active directory ii
 
Active Directory
Active Directory Active Directory
Active Directory
 
Windows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory DomainWindows Server 2012 Managing Active Directory Domain
Windows Server 2012 Managing Active Directory Domain
 
Mcts chapter 6
Mcts chapter 6Mcts chapter 6
Mcts chapter 6
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
 
Domain Controller Critical Services
Domain Controller Critical ServicesDomain Controller Critical Services
Domain Controller Critical Services
 
Windows Server 2003 Administration
Windows Server 2003 AdministrationWindows Server 2003 Administration
Windows Server 2003 Administration
 
Introduction_of_ADDS
Introduction_of_ADDSIntroduction_of_ADDS
Introduction_of_ADDS
 
Mcts chapter 1
Mcts chapter 1Mcts chapter 1
Mcts chapter 1
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
 
Microsoft Active Directory
Microsoft Active DirectoryMicrosoft Active Directory
Microsoft Active Directory
 
What is active directory
What is active directoryWhat is active directory
What is active directory
 
Mcts chapter 3
Mcts chapter 3Mcts chapter 3
Mcts chapter 3
 

Similar to Final domain control policy

Introduction to System and network administrations
Introduction to System and network administrationsIntroduction to System and network administrations
Introduction to System and network administrations
girmayou1
 
ADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side serverADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side server
BilalMehmood44
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx
AdiWidyanto2
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
syedasadraza13
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptx
MeriemBalhaddad
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptx
JavedAjmal1
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptx
masbulosoke
 
AD Basic and Azure AD.pptx
AD Basic and Azure AD.pptxAD Basic and Azure AD.pptx
AD Basic and Azure AD.pptx
SumTingWong8
 
Active Directory
Active DirectoryActive Directory
Active Directory
Jessica Henderson
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 
Chapter Two.pptx
Chapter Two.pptxChapter Two.pptx
Chapter Two.pptx
ssuser8347a1
 
Windows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsWindows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsAndrĂŠ Braga
 
Ctive directory interview question and answers
Ctive directory interview question and answersCtive directory interview question and answers
Ctive directory interview question and answers
sankar palla
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
gameaxt
 
Windows server 2008 active directory
Windows server 2008 active directoryWindows server 2008 active directory
Windows server 2008 active directoryRaghu nath
 
MCSA 70-412 Chapter 03
MCSA 70-412 Chapter 03MCSA 70-412 Chapter 03
MCSA 70-412 Chapter 03
Computer Networking
 
Active Directory
Active DirectoryActive Directory
Active Directory
Hameda Hurmat
 
What is active directory
What is active directoryWhat is active directory
What is active directory
rajasekar1712
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
aminpathan11
 
Windows server Interview question and answers
Windows server Interview question and answersWindows server Interview question and answers
Windows server Interview question and answers
Availity Fore Support Services pvt ltd
 

Similar to Final domain control policy (20)

Introduction to System and network administrations
Introduction to System and network administrationsIntroduction to System and network administrations
Introduction to System and network administrations
 
ADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side serverADDS (Active directory Domain Service) in side server
ADDS (Active directory Domain Service) in side server
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptx
 
Active-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptxActive-Directory-Domain-Services.pptx
Active-Directory-Domain-Services.pptx
 
Microsoft Active Directory.pptx
Microsoft Active Directory.pptxMicrosoft Active Directory.pptx
Microsoft Active Directory.pptx
 
AD Basic and Azure AD.pptx
AD Basic and Azure AD.pptxAD Basic and Azure AD.pptx
AD Basic and Azure AD.pptx
 
Active Directory
Active DirectoryActive Directory
Active Directory
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 
Chapter Two.pptx
Chapter Two.pptxChapter Two.pptx
Chapter Two.pptx
 
Windows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory ComponentsWindows Server 2008 - Active Directory Components
Windows Server 2008 - Active Directory Components
 
Ctive directory interview question and answers
Ctive directory interview question and answersCtive directory interview question and answers
Ctive directory interview question and answers
 
Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02Microsoft Offical Course 20410C_02
Microsoft Offical Course 20410C_02
 
Windows server 2008 active directory
Windows server 2008 active directoryWindows server 2008 active directory
Windows server 2008 active directory
 
MCSA 70-412 Chapter 03
MCSA 70-412 Chapter 03MCSA 70-412 Chapter 03
MCSA 70-412 Chapter 03
 
Active Directory
Active DirectoryActive Directory
Active Directory
 
What is active directory
What is active directoryWhat is active directory
What is active directory
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
 
Windows server Interview question and answers
Windows server Interview question and answersWindows server Interview question and answers
Windows server Interview question and answers
 

Recently uploaded

Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
gdsczhcet
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
TeeVichai
 
Courier management system project report.pdf
Courier management system project report.pdfCourier management system project report.pdf
Courier management system project report.pdf
Kamal Acharya
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
FluxPrime1
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
Intella Parts
 
Halogenation process of chemical process industries
Halogenation process of chemical process industriesHalogenation process of chemical process industries
Halogenation process of chemical process industries
MuhammadTufail242431
 
ethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.pptethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.ppt
Jayaprasanna4
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
Robbie Edward Sayers
 
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdfTop 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Teleport Manpower Consultant
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Sreedhar Chowdam
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
AafreenAbuthahir2
 
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdfCOLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
Kamal Acharya
 
addressing modes in computer architecture
addressing modes in computer architectureaddressing modes in computer architecture
addressing modes in computer architecture
ShahidSultan24
 
Automobile Management System Project Report.pdf
Automobile Management System Project Report.pdfAutomobile Management System Project Report.pdf
Automobile Management System Project Report.pdf
Kamal Acharya
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
Divya Somashekar
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
fxintegritypublishin
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
MLILAB
 
Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.
PrashantGoswami42
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
Kamal Acharya
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
Pipe Restoration Solutions
 

Recently uploaded (20)

Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
 
Courier management system project report.pdf
Courier management system project report.pdfCourier management system project report.pdf
Courier management system project report.pdf
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
 
Halogenation process of chemical process industries
Halogenation process of chemical process industriesHalogenation process of chemical process industries
Halogenation process of chemical process industries
 
ethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.pptethical hacking-mobile hacking methods.ppt
ethical hacking-mobile hacking methods.ppt
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
 
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdfTop 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
Top 10 Oil and Gas Projects in Saudi Arabia 2024.pdf
 
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&BDesign and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
 
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdfCOLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdf
 
addressing modes in computer architecture
addressing modes in computer architectureaddressing modes in computer architecture
addressing modes in computer architecture
 
Automobile Management System Project Report.pdf
Automobile Management System Project Report.pdfAutomobile Management System Project Report.pdf
Automobile Management System Project Report.pdf
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
 
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdfHybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdf
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
 
Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.Quality defects in TMT Bars, Possible causes and Potential Solutions.
Quality defects in TMT Bars, Possible causes and Potential Solutions.
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
 

Final domain control policy

  • 1. Domain Control Policy By Bhagyashri Jadhav
  • 2. Domain controller  It is a server on a network that is responsible for allowing host access to domain resources.  It authenticates users, stores user account information and enforces security policy for a domain.  It is most commonly implemented in Microsoft Windows environments (see Domain controller (Windows)), where it is the center piece of the Windows Active Directory service.  However, non-Windows domain controllers can be established via identity management software such as Samba and Red Hat FreeIPA.
  • 3. Domain controllers are typically deployed as a cluster to ensure high-availability and maximize reliability. In a Windows environment, one domain controller services as the Primary Domain Controller (PDC) and all other servers promoted to domain controller status in the domain server as a Backup Domain Controller (BDC)
  • 4.  A domain controller is a server that responds to authentication requests and verifies users on computer networks.  Domains are a hierarchical way of organizing users and computers that work together on the same network. The domain controller keeps all of that data organized and secured.  The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD).  While attackers have all sorts of tricks to gain elevated access on networks, including attacking the DC itself, you can not only protect your DCs from attackers but actually use DCs to detect cyber attacks in progress.
  • 5. The Main Function of a Domain Controller? The primary responsibility of the DC is to authenticate and validate user access on the network. When users log into their domain, the DC checks their username, password, and other credentials to either allow or deny access for that user.
  • 6. What is Authentication? Authentication includes two components: Authentication is the process of verifying a user’s identity on a network • Network authentication: grants access to network resources• Interactive logon: grants access to the local computer
  • 7. What is Authorization? Security principals are issued security identifiers (SIDs) when the account is created User accounts are issued security tokens during authentication that include the user’s SID and all related group SIDs Shared resources on a network include access control lists (ACL) that define who can access the resource Authorization is a process of verifying that an authenticated user has permission to perform an action The security token is compared against the Discretionary Access Control List (DACL) on the resource and access is granted or denied
  • 8. Why Deploy AD DS? AD DS features include: • Centralized directory • Single sign-on access • Integrated security • Scalability AD DS provides a centralized system for managing users, computers, and other resources on a network • Common management interface
  • 9. Centralized Network Management AD DS centralizes network management by providing: • Single location and set of tools for managing user and group accounts • Single location for assigning access to shared network resources • Directory service for AD DS enabled applications • Options for configuring security policies that apply to all users and computers • Group policies to manage user desktops and security settings
  • 10. Object Description TCP/IP • Configure appropriate TCP/IP and DNS server addresses. Credentials • To install a new AD DS forest, you need to be local Administrator on the server. To install an additional domain controller in an existing domain, you need to be a member of the Domain Admins group. Domain Name System )DNS) Infrastructure • Verify that a DNS infrastructure is in place. When you install AD DS, you can include DNS server installation, if it is needed. • When you create a new domain, a DNS delegation is created automatically during the installation process. Creating a DNS delegation requires credentials that have permissions to update the parent DNS zones. Requirements for Installing AD DS
  • 11. Overview of AD DS and DNS AD DS domain controller records must be registered in DNS to enable other domain controllers and client computers to locate the domain controllers AD DS domain names must be DNS domain names DNS Domain Name AD DS requires a DNS infrastructure DN S DNS zones can be stored in AD DS as Active Directory integrated zones DNS Zon e
  • 12. Physical Components Logical Components • Data store • Domain controllers • Global catalog server • Read-Only Domain Controller (RODC) • Partitions • Schema • Domains • Domain trees • Forests • Sites • Organizational units (OUs) AD DS is composed of both physical and logical components Component Overview
  • 13. Overview of AD DS Physical Components •Domain Controllers •Global Catalog Servers •Data Store •Replication •Sites
  • 14. Domain Controllers Domain controllers: • Host a copy of the AD DS directory store • Provide authentication and authorization services • Replicate updates to other domain controllers in the domain and forest A domain controller is a server with the AD DS server role installed that has specifically been promoted to a domain controller • Allow administrative access to manage user accounts and network resources Windows Server 2008 and later supports RODCs
  • 15. Global Catalog Servers The global catalog: • Contains a copy of all AD DS objects in a forest that includes only some of the attributes for each object in the forest • Improves efficiency of object searches by avoiding unnecessary referrals to domain controllers • Required for users to log on to a domain Global catalog servers are domain controllers that also store a copy of the global catalog
  • 16. What is the AD DS Data Store? The AD DS data store: • Consists of the Ntds.dit file • Is stored by default in the %SystemRoot%NTDS folder on all domain controllers • Is accessible only through the domain controller processes and protocols The AD DS data store contains the database files and processes that store and manage directory information for users, services, and applications
  • 17. What is AD DS Replication? AD DS replication: • Ensures that all domain controllers have the same information • Uses a multimaster replication model • Can be managed by creating AD DS sites AD DS replication copies all updates of the AD DS database to all other domain controllers in a domain or forest The AD DS replication topology is created automatically as new domain controllers are added to the domain
  • 18. What are Sites? Sites are: • Associated with IP subnets • Used to manage replication traffic • Used to manage client logon traffic An AD DS site is used to represent a network segment where all domain controllers are connected by a fast and reliable network connection • Used by site aware applications such as Distributed File Systems (DFS) or Exchange Server • Used to assign group policy objects to all users and computers in a company location
  • 19. Object Types Function Examples Class Object What objects can be created in the directory • User • Computer Attribute Object Information that can be attached to an object • Display name The AD DS Schema:  Defines every type of object that can be stored in the directory  Enforces rules regarding object creation and configuration What is the AD DS Schema?
  • 20. The Basics: Domains Domains: • An administrative boundary for applying policies to groups of objects • A replication boundary for replicating data between domain controllers • An authentication and authorization boundary that provides a way to limit the scope of access to resources Contoso. com Domains are used to group and manage objects in an organization
  • 21. The Basics: Trees All domains in the tree: • Share a contiguous namespace with the parent domain • Can have additional child domains • By default create a two-way transitive trust with other domains A domain tree is a hierarchy of domains in AD DS contoso.com na.contoso.comemea.contoso.com
  • 22. Introduction to Multitenancy Using Domains  The Firepower System allows you to implement multitenancy using domains.  Domains segment user access to managed devices, configurations, and events.  You can create up to 50 subdomains under a top-level Global domain, in two or three levels.  When you log into the Firepower Management Center, you log into a single domain, called the current domain. Depending on your user account, you may be able to switch to other domains.  In addition to any restrictions imposed by your user role, your current domain level can also limit your ability to modify various Firepower System configurations. The system limits most management tasks, like system software updates, to the Global domain.
  • 23.  The system limits other tasks to leaf domains, which are domains with no subdomains. For example, you must associate each managed device with a leaf domain, and perform device management tasks from the context of that leaf domain.  Each leaf domain builds its own network map, based on the discovery data collected by that leaf domain’s devices. Events reported by a managed device (connection, intrusion, malware, and so on) are also associated with the device's leaf domain.
  • 24. One Domain Level: Global  If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain, which in this scenario is also a leaf domain. Except for domain management, the system hides domain-specific configurations and analysis options until you add subdomains.
  • 25. Two Domain Levels: Global and Second- Level  In a two-level multidomain deployment, the Global domain has direct descendant domains only. For example, a managed security service provider (MSSP) can use a single Firepower Management Center to manage network security for multiple customers:  Administrators at the MSSP logging into the Global domain, cannot view or edit customers’ deployments. They must log into respective second-level named subdomains to manage the customers' deployment.  Administrators for each customer can log into second- level named subdomains to manage only the devices, configurations, and events applicable to their organizations. These local administrators cannot view or affect the deployments of other customers of the MSSP.
  • 26. Three Domain Levels: Global, Second- Level, and Third-Level  In a three-level multidomain deployment, the Global domain has subdomains, at least one of which has its own subdomain.  To extend the previous example, consider a scenario where an MSSP customer—already restricted to a subdomain—wants to further segment its deployment.  This customer wants to separately manage two classes of device: devices placed on network edges and devices placed internally:  Administrators for the customer logging into the second-level subdomain cannot view or edit the customer's edge network deployments.
  • 27.  They must log into the respective leaf domain to manage the devices deployed on the network edge.  Administrators for the customer’s edge network can log into a third-level (leaf) domain to manage only the devices, configurations, and events applicable to devices deployed on the network edge. Similarly, administrators for the customer’s internal network can log into a different third- level domain to manage internal devices, configurations, and events. Edge and internal administrators cannot view each other's deployment.
  • 28. Domain Properties To modify a domain's properties, you must have Administrator access in that domain's parent domain.  Name and Description Each domain must have a unique name within its hierarchy. A description is optional.  Parent Domain Second- and third-level domains have a parent domain. You cannot change a domain's parent after you create the domain.
  • 29.  Devices Only leaf domains may contain devices. In other words, a domain may contain subdomains or devices, but not both. You cannot save a deployment where a non-leaf domain directly controls a device.  In the domain editor, the web interface displays available and selected devices according to their current place in your domain hierarchy.
  • 30.  Host LimitThe number of hosts a Firepower Management Center can monitor, and therefore store in network maps, depends on its model. In a multidomain deployment, leaf domains share the available pool of monitored hosts, but have separate network maps.  To ensure that each leaf domain can populate its network map, you can set host limits at each subdomain level. If you set a domain's host limit to 0, the domain shares in the general pool.
  • 31.  Setting the host limit has a different effect at each domain level:  Leaf — For a leaf domain, a host limit is a simple limit on the number of hosts the leaf domain can monitor.  Second Level — For a second-level domain that manages third-level leaf domains, a host limit represents the total number of hosts that the leaf domains can monitor. The leaf domains share the pool of available hosts.
  • 32.  Global — For the Global domain, the host limit is equal to the total number of hosts a Firepower Management Center can monitor.  You cannot change it the sum of subdomains' host limits can add up to more than their parent domain's host limit.  For example, if the Global domain host limit is 150,000, you can configure multiple subdomains each with a host limit of 100,000. Any of those domains, but not all, can monitor 100,000 hosts.  The network discovery policy controls what happens when you detect a new host after you reach the host limit; you can drop the new host, or replace the host that has been inactive for the longest time.  Because each leaf domain has its own network discovery policy, each leaf domain governs its own behaviour when the system discovers a new host.  If you reduce the host limit for a domain and its network map contains more hosts than the new limit, the system deletes the hosts that have been inactive the longest. 
  • 33. The Basics: Forests Forests: • Share a common schema • Share a common configuration partition • Share a common global catalog to enable searching A forest is a collection of one or more domain trees • Enable trusts between all domains in the forest • Share the Enterprise Admins and Schema Admins groups
  • 34. The Basics: Organizational Units (OUs) OUs are used to: • Represent your organization hierarchically and logically • Manage a collection of objects in a consistent way • Delegate permissions to administer groups of objects OUs are Active Directory containers that can contain users, groups, computers, and other OUs • Apply policies
  • 35. Trusts provide a mechanism for users to gain access to resources in another domain Types of Trusts Description Diagram Directional The trust direction flows from trusting domain to the trusted domain Transitive The trust relationship is extended beyond a two- domain trust to include other trusted domains • All domains in a forest trust all other domains in the forest • Trusts can extend outside the forest Access TRUST Trust & Access Trusts
  • 36. Object Description User • Enables network resource access for a user InetOrgPerson • Similar to a user account • Used for compatibility with other directory services Contacts • Used primarily to assign e-mail addresses to external users • Does not enable network access Groups • Used to simplify the administration of access control Computers • Enables authentication and auditing of computer access to resources Printers • Used to simplify the process of locating and connecting to printers Shared folders • Enables users to search for shared folders based on properties AD DS Objects
  • 37. Why is a Domain Controller Important?  Domain controllers contain the data that determines and validates access to your network, including any group policies and all computer names. Everything an attacker could possibly need to cause massive damage to your data and network is on the DC, which makes a DC a primary target during a cyberattack.
  • 38. Domain Controller vs. Active Directory ACTIVE DIRECTORY : DOMAIN CONTROLLER :: car : engine Active Directory is a type of domain, and a domain controller is an important server on that domain. Kind of like how there are many types of cars, and every car needs an engine to operate. Every domain has a domain controller, but not every domain is Active Directory.
  • 39. Domain control Policy  A domain security policy is a security policy that is specifically applied to a given domain or set of computers or drives in a given system. System administrators use a domain security policy to set security protocols for part of a network, including password protocols, access levels and much more.  Some technology users confuse domain security policy and domain controller security policy. Experts describe the difference this way: While a domain controller security policy only applies to the specific hardware designated as the domain controller, the domain security policy governs the entire domain. An administrator can, for example, control the required password strength within the domain, change encryption or alter other aspects of domain security by using the domain security policy settings.  Those using Microsoft operating systems (OS) and other OS types can often change domain security policy settings through provided controls. Users can change items like password policy, account lockout policy and other aspects of domain security. In other cases, users may have to use more advanced controls to customize a domain security policy.
  • 40.  How to create domain  https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuratio n/guide/fpmc-config-guide-v623/domain_management.html
  • 41. Domain control Policy  Domain controllers pull some security settings only from group policy objects linked to the root of the domain. Because domain controllers share the same account database for the domain, certain security settings must be set uniformly on all domain controllers. This ensures that the members of the domain have a consistent experience regardless of which domain controller they use to log on. Windows 2000 accomplishes this task by allowing only certain setting in the group policy to be applied to domain controllers at the domain level. This group policy behavior is different for member server and workstations. The following settings are applied to domain controllers in Windows 2000 only when the group policy is linked to the Domain container: All settings in Computer Configuration/Windows Settings/Security Settings/Account Policies (This includes all of the Account Lockout, Password, and Kerberos policies.)  The following three settings in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options:  Automatically log off users when logon time expires  Rename administrator account  Rename guest account
  • 42. Domain control Policy  The following settings are applied to Windows Server 2003-based domain controllers only when the group policy is linked to the domain container. (The settings are located in Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options.) Accounts: Administrator account status  Accounts: Guest account status  Accounts: Rename administrator account  Accounts: Rename guest account  Network security: Force logoff when logon hours expire
  • 43. Benefits of Domain Controller  Centralized user management  Enables resource sharing for files and printers  Federated configuration for redundancy (FSMO)  Can be distributed and replicated across large networks  Encryption of user data  Can be hardened and locked-down for improved security
  • 44. Limitations of Domain Controller  Target for cyberattack  Potential to be hacked  Users and OS must be maintained to be stable, secure and up-to-date  Network is dependent on DC uptime  Hardware/software requirements